The netstat command, meaning network statistics, is a Command Prompt command used to

display very detailed information about how your computer is communicating with other
computers or network devices.

Specifically, it can show details about individual network connections, overall and protocol-
specific networking statistics, and much more, all of which could help troubleshoot certain kinds
of networking issues.
Lifewire / Nez Riaz

Netstat Command Availability

This command is available from within the Command Prompt in Windows 11, Windows
10, Windows 8, Windows 7, Windows Vista, Windows XP, Windows Server operating systems,
and some older versions of Windows, too.

Since netstat is a cross-platform command, it's also available in other operating systems like
macOS and Linux.

How to Use the Netstat Command on Mac

The availability of certain netstat command switches and other netstat command syntax may
differ from operating system to operating system.

Netstat Command Syntax

netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [-x] [-y] [time_interval] [/?]

How to Read Command Syntax

Netstat Command List

Option Explanation

netstat Execute the netstat command alone to show a relatively simple list of all
active TCP connections which, for each one, will show the local IP address (your
computer), the foreign IP address (the other computer or network device), along
with their respective port numbers, as well as the TCP state.

-a This switch displays active TCP connections, TCP connections with the listening
state, as well as UDP ports that are being listened to.

-b This netstat switch is very similar to the -o switch listed below, but instead of
displaying the PID, will display the process's actual file name. Using -b over -
o might seem like it's saving you a step or two but using it can sometimes greatly
extend the time it takes netstat to fully execute.

-e Use this switch with the netstat command to show statistics about your network
connection. This data includes bytes, unicast packets, non-unicast packets,
discards, errors, and unknown protocols received and sent since the connection
was established.

-f The -f switch will force the netstat command to display the Fully Qualified Domain
Netstat Command List

Name (FQDN) for each foreign IP addresses when possible.

-n Use the -n switch to prevent netstat from attempting to determine host names for
foreign IP addresses. Depending on your current network connections, using this
switch could considerably reduce the time it takes for netstat to fully execute.

-o A handy option for many troubleshooting tasks, the -o switch displays the process
identifier (PID) associated with each displayed connection. See the example below
for more about using netstat -o.

-p Use the -p switch to show connections or statistics only for a particular protocol.
You can not define more than one protocol at once, nor can you execute netstat
with -p without defining a protocol.

protocol When specifying a protocol with the -p option, you can use tcp, udp, tcpv6,
or udpv6. If you use -s with -p to view statistics by protocol, you can
use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned.

-r Execute netstat with -r to show the IP routing table. This is the same as using the
route command to execute route print.

-s The -s option can be used with the netstat command to show detailed statistics by
protocol. You can limit the statistics shown to a particular protocol by using the -
soption and specifying that protocol, but be sure to use -s before -p protocol when
using the switches together.

-t Use the -t switch to show the current TCP chimney offload state in place of the
typically displayed TCP state.

-x Use the -x option to show all NetworkDirect listeners, connections, and shared
endpoints.

-y The -y switch can be used to show the TCP connection template for all connection.
You cannot use -y with any other netstat option.

time_interva This is the time, in seconds, that you'd like the netstat command to re-execute
l automatically, stopping only when you use Ctrl-C to end the loop.

/? Use the help switch to show details about the netstat command's several options.

Make all that netstat information in the command line easier to work with by outputting what
you see on the screen to a text file using a redirection operator. See How to Redirect Command
Output to a File for complete instructions.
Netstat Command Examples

Here are several examples showing how the netstat command might be used:

Show Active TCP Connections

netstat -f

In this first example, we execute netstat to show all active TCP connections. However, we want
to see the computers that we're connected to in FQDN format [-f] instead of a simple IP
address.

Here's an example of what you might see:

Active Connections

Proto Local Address Foreign Address State

TCP 127.0.0.1:5357 VM-Windows-7:49229 TIME_WAIT

TCP 127.0.0.1:49225 VM-Windows-7:12080 TIME_WAIT

TCP 192.168.1.14:49194 75.125.212.75:http CLOSE_WAIT

TCP 192.168.1.14:49196 a795sm.avast.com:http CLOSE_WAIT

TCP 192.168.1.14:49197 a795sm.avast.com:http CLOSE_WAIT

TCP 192.168.1.14:49230 TIM-PC:wsd TIME_WAIT

TCP 192.168.1.14:49231 TIM-PC:icslap ESTABLISHED

TCP 192.168.1.14:49232 TIM-PC:netbios-ssn TIME_WAIT

TCP 192.168.1.14:49233 TIM-PC:netbios-ssn TIME_WAIT

TCP [::1]:2869 VM-Windows-7:49226 ESTABLISHED

TCP [::1]:49226 VM-Windows-7:icslap ESTABLISHED

As you can see, there were 11 active TCP connections at the time netstat was executed in this
example. The only protocol (in the Proto column) listed is TCP, which was expected because we
didn't use -a.

You can also see three sets of IP addresses in the Local Address column—the actual address
of 192.168.1.14 and both IPv4 and IPv6 versions of the loopback addresses, along with the port
each connection is using. The Foreign Address column lists the FQDN (75.125.212.75 didn't
resolve for some reason) along with that port as well.
Finally, the State column lists the TCP state of that particular connection.

Show Connections and Process Identifiers

netstat -o

In this example, netstat will be run normally so it only shows active TCP connections, but we
also want to see the corresponding process identifier [-o] for each connection so that we can
determine which program on the computer initiated each one.

Here's what the computer displayed:

Active Connections

Proto Local Address Foreign Address State PID

TCP 192.168.1.14:49194 75.125.212.75:http CLOSE_WAIT 2948

TCP 192.168.1.14:49196 a795sm:http CLOSE_WAIT 2948

TCP 192.168.1.14:49197 a795sm:http CLOSE_WAIT 2948

You probably noticed the new PID column. In this case, the PIDs are all the same, meaning the
same program on the computer opened these connections.

To determine what program is represented by the PID of 2948 on the computer, open Task
Manager to the Processes tab, and note the Image Name listed next to the PID we're looking for
in the PID column.1

Using the netstat command with the -o option can be very helpful when tracking down which
program is using too big a share of your bandwidth. It can also help locate the destination
where some kind of malware, or even an otherwise legitimate piece of software, might be
sending information without your permission.

While this and the previous example were both run on the same computer, and within just a
minute of each other, you can see that the list of active TCP connections is considerably
different. This is because your computer is constantly connecting to, and disconnecting from,
various other devices on your network and over the internet.

Show Specific Connections Only

netstat -0 | findstr 28604

The above example is similar to what we've already looked at, but instead of displaying all
connections, we're telling the command to show only the connections that are using a specific
PID, 28604 in this example.
A similar command could be used to filter out the connections with a CLOSE_WAIT state, by
replacing the PID with ESTABLISHED.

Show Protocol-Specific Stats

netstat -s -p tcp -f

Here, we want to see protocol specific statistics [-s] but not all of them, just TCP stats [-p tcp].
We also want the foreign addresses displayed in FQDN format [-f].

This is what that netstat command produced for us:

TCP Statistics for IPv4

Active Opens = 77

Passive Opens = 21

Failed Connection Attempts = 2

Reset Connections = 25

Current Connections = 5

Segments Received = 7313

Segments Sent = 4824

Segments Retransmitted = 5

Active Connections

Proto Local Address Foreign Address State

TCP 127.0.0.1:2869 VM-Windows-7:49235 TIME_WAIT

TCP 127.0.0.1:2869 VM-Windows-7:49238 ESTABLISHED

TCP 127.0.0.1:49238 VM-Windows-7:icslap ESTABLISHED

TCP 192.168.1.14:49194 75.125.212.75:http CLOSE_WAIT

TCP 192.168.1.14:49196 a795sm.avast.com:http CLOSE_WAIT

TCP 192.168.1.14:49197 a795sm.avast.com:http CLOSE_WAIT

As you can see, various statistics for the TCP protocol are displayed, as are all active TCP
connections at the time.

Show Updated Network Stats

In this final example, netstat shows some basic network interface statistics [-e] that are
continually updated in the command window every five seconds [-t 5].

Here's what's produced on screen:

Interface Statistics

Received Sent

Bytes 22132338 1846834

Unicast packets 19113 9869

Non-unicast packets 0 0

Discards 0 0

Errors 0 0

Unknown protocols 0

Interface Statistics

Received Sent

Bytes 22134630 1846834

Unicast packets 19128 9869

Non-unicast packets 0 0

Discards 0 0

Errors 0 0

Unknown protocols 0

^C

Various pieces of information, which you can see here and that we listed in the -e syntax above,
are displayed.

How to Use the Netstat Command

The command only automatically executed one extra time, as you can see by the two tables in
the result. Note the ^C at the bottom, indicating that the Ctrl+C abort command was used to
stop the re-running of the command.
Netstat Related Commands

The netstat command is often used with other networking related Command Prompt
commands like nslookup, ping, tracert, ipconfig, and others.

[1] You might have to manually add the PID column to Task Manager. You can do this by selecting PID after right-clicking the column headings in the Process tab. If

you're using Windows 7 or on older Windows OS, select the PID (Process Identifier) checkbox from View > Select Columns in Task Manager. You might also have to

choose Show processes from all users from the bottom of the Processes tab if the PID you're looking for isn't listed.

FAQ

 How do I use netstat to look up my proxy?

Run ntestat -ban and look through the list for the Process Identifier (PID) of iexplore.exe. This
sill show you the proxy port and IP of your system.

 What's the difference between netstat and nbstat commands?

In general, netstat commands are used to display TCP and IP address info, while nbstat
commends specifically pertain to NetBIOS statitstics.